7 ways to exploit psychology to sell security

I have felt the bitter taste of defeat many times. That feeling in a meeting, on a call at a presentation when you feel the tide turning against you. All the logical arguments that seemed so persuasive ten minutes ago have evaporated and all you have is another meeting or a working group to explore options. The security improvements that were so badly needed rejected once more. @J4vv4d from Quantainia writes for a new years resolution "If you’ve heard me talk about security but still don’t think it’s important. That’s my fault not yours". So why not use some techniques from psychology to help?

I am slowly making my way through the Schneier's essays on Instapaper and found this one on the Psychology of security. If you have ever wondered why certain security projects get funded, why some decks work a lot better than others and why some arguments seem to resonate over others of equivalent merit; then psychology of security holds a lot of answers. Schneier provides the theory, research and some tricks and recommendations on using psychology to sell security; this is my take on expanding those techniques. The basis for all of this is grounded in scientific experiments, all the links to the research are in Schneier's essay.

How do you use these? You are never going to remember all of them and that's often the biggest problem with things like NLP. They are too hard to use in everyday life because they take a lot of un-natural practice before they become second nature. So I suggest that you use it as a checklist or put the key points into a mindmap. Check them before and after writing your next deck or business case. Practice often enough and you will start using them in conversations, meetings, and calls.

1. Play up spectacular risks.

Schneier: "People exaggerate spectacular but rare risks and downplay common risks." Intuitively you know this to be true. There is a far greater risk of dying in a car crash but more people are afraid of flying. At time of writing in May 2011, 9/11 was nearly 10 years ago, but it led to a massive pay day for every security agency. Even 10 years on it's power is so great that the US government was able to extend the patriot act for another four years. The massive over-reaction that meant a huge erosion of American civil liberties extended without cause all because of a spectacular risk from 10 years ago. Now you may not want to use this because it seems like FUD. Well guess what? FUD works. You can either continue an ideological objection to FUD or you can get paid. Or feed your kids, increase your reputation and influence, get that security improvement you know that really needs to be done. Whatever rocks your boat. So play up the China hackers, cyber-warfare and advanced persistent threats.

Risks from sources people do not trust seem more plausible. This is why you need to forget about that insider threat argument. It is never going to work. You want to play up the uncertainty. Detailed scenarios also increase believability. Put in gory details; really describe a scenario rather than a scattergun bullet-point approach of possible threats. That's why I love attack trees. If you do not have the numbers, as we often don't, use the fact that people tend to ignore probabilities where there is a high emotional content. Play up the emotions in your detailed scenario of Chinese hackers for maximum effectiveness. Grouping risks together for executive management is not your friend. Evaluating risks as a group makes them seem less risky. If you are only getting 5 minute slot, or one slide, prioritize and present them the most compelling, most emotional and spectacular risk scenario. Finally leverage the anchoring effect. High loss numbers like Sony 100 million records lost, or HSBC being fined $4 million for loosing 2 CD's of customer data are great for this. Write the number on a white-board they can see when they walk in. Even if you do not directly talk about it, the number is anchored in their minds. When you talk about a loss or risk this will then make them perceive it as more risky.

2. Make it personal.

If you really want that new Dataloss prevention system talk to the execs about their email being stolen, if their laptop or blackberry was hacked. What would they do there were fraudulent credit card transactions on their statement? Even for impacts like damage to the company brand, it is so much more persuasive if put in a personal context. A major incident would affect the brand and reduce long-term share price and growth which would have a significant impact on anyone with share options to vest in a few years. Kids are a great lever. We seem to have an evolutionary response against any thing that will harm kids. While logical from an evolutionary perspective, today this is often applied irrationally and can be exploited. Link your risk not just to Mr senior manager and his wallet but also his kids. We store a lot of personal data in our databases. Imagine if your kids personal data was all over the Internet?

3. Overestimation of current risks

At the time of writing this links very nicely with 1. Spectacular risks. With the high profile hacks of RSA, Sony and the Apple and Google location gate scandals there should be plenty of current events to shape to your purpose. Emotional events are even better i.e. 9/11, location and privacy issues work well for us also. This works because recent events are easier to imagine therefore more effective regardless of their actual likelihood or applicability to your company. Imagination is also a wonderful thing. Considering a particular outcome in your imagination makes you think it is more likely to occur. An outcome that is more difficult to imagine will be marked down even if you have all the numbers to back it up. You can link this with anchoring through techniques like getting your manager to imagine a malware infection on their kids computer before you make your pitch for the new IDS.

4. Overestimation of risks outside their control

Again, this is another reason for the flying vs. driving risk failure. This is why the cloud seems so scary, even though the insider threat could happen in any company. There is an illusion of control over "employees" in your own company vs. another company you contract with. Even though, especially in large companies it would be just as easy for organized crime or government to get a cleaner or temp into either. Any risk that is imposed, where they have no control always seems higher. This is another reason to play up regulation, class actions and contract breeches rather than internal policies and standards when you want to get something done.

5. Risk of large loss chosen over certain small loss

This is why you lose. The risk of a massive loss e.g. Sony now estimated at $130 million from the PSN hack, part of an overall $1.3 billion loss and untold reputational damage. I bet some poor sucker in security tried to convince them years ago that that they should patch the Apache servers or they should encrypt customer personal information. Take the certain loss security investment now over an uncertain huge loss. Guess which one was chosen? Better safe than Sony. Given a chance of a big loss vs. certain small loss, the big loss will be chosen by most people. Strangely enough though that is how we try to make most business cases for security. Spend this small amount now to avoid this big risk in future. And we are still surprised when it doesn't work. Getting though today is what is most important. This project. This quarter. This year. Even presenting the risk as a small, immediate loss will be more successful than the complex calculation of future losses. A delay to the project, extra defect repair costs, a certain fine from a regulator are all good things to use. People are also more likely to accept a smaller incremental gain than a chance at a larger gain. The bird in the hand. This is actually also good for your delivery. Do not go for big bang. Focus on small incremental gains. It maybe easier and ultimately more fruitful to go for extra features in what you already have. That web application firewall or IPS module in your load balance than a completely new system.

6. Exploit heuristics

Rules of thumb. Just the wording and re-framing an argument can make all the difference. In studies over 70% choose the positively worded outcome even when the probability is equal. So why say the chance to lose 10 million when you can present it as an opportunity to save 10 million? People tend to accept things closer to the current state. They are going to trade-off more for security they have accustomed to. This explains the success of firewall and anti-virus companies. Can you bolt on an IPS to a firewall or removable media control to your AV? Risks involving people rate higher. If you really want to sell your APT or malware threat talk about the humans that wrote and benefit from it and how they and their kids are personally affected. We evaluate small numbers well but suck at larger numbers. So use small percentages. A computer in our company, just like the one you use or your kid at home, is infected once every 2 seconds. One in every three documents, just like the board minutes for this meeting, sent out of the company is an office document.

7. Costs

Finally, on presenting costs in a way that increases your chances of success. People judge costs on reference. They are willing to may more for something that seems like it should be more expensive. Tiffanie's have been using this for years, why can't you? To build a world-class security to support a world class consumer experience you need to spend $X on security. Small costs are not accounted for in mental costs. Can you present your cost as a cost per user, cost per event or incident, $ per day? The framing effect. Always show the highest cost option first and the one you actually want in the middle. Time discounting - costs and benefits in future are discounted. Gains are discounted more than losses and smaller amounts are discounted more than large. Present your savings in the first year and load up your higher costs on the back end.

Recap

To sell security effectively:

Play up spectacular risks

Make it personal and use kids

Use 1-3 examples of current events

Use examples of threats outside of management control

Present certain, current losses even if small. Aim for incremental improvements in security